Friday, October 29, 2010

So I've finally been to AstriCon and I noticed a great increased interest amongst the attendees with regards to security, fraud and "hacking". The slides for my presentation titled "Just how vulnerable is your phone system" can be downloaded from this location.

So what are the changes and additions from the software developer's side?

Asterisk 1.8 has been released touting TLS support for SIP and SRTP support too, plus a framework to make auditing easier

I just received an email from Brekeke highlighting their security page on their wiki which was originally published on March 11, 2009

What accounts for these changes? From talking with the people at AstriCon I started understanding why the increased interest in security: organizations are really getting hurt with call fraud and this seems to be on the increase.

Plus the advise I heard again and again from developers for FreePBX-based systems was:
"Do not put your FreePBX / configuration available on the Internet, it is not designed for that!"

But if you do a simple scan for Asterisk boxes (using svmap.py for example), you'll notice many systems out there that do not heed this advice. Apart from that, as Blake Cornell showed in his presentation, there are many attacks on FreePBX-based systems that can be abused without direct access to the HTTP configuration interface.